Have you set proxy-address-forwarding=true? I thought that was supposed to
look at X-Forwarded-Host.
On 9 September 2016 at 11:45, KASALA Štefan <Stefan.Kasala(a)posam.sk> wrote:
Hello,
thanks for hints, I added request header dumps for keycloak server:
curl -s
http://lb.our.domain/auth/admin/master/console/config | python -m
json.tool
keycloak server log:
2016-09-09 11:38:40,825 DEBUG
[org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-15)
RESTEASY002315: PathInfo: /admin/master/console/config
2016-09-09 11:38:40,826 INFO
[io.undertow.request.dump] (default task-15)
----------------------------
REQUEST---------------------------
URI=/auth/admin/master/
console/config
characterEncoding=null
contentLength=-1
contentType=null
header=Accept=*/*
header=Connection=Keep-Alive
header=X-Forwarded-For=10.231.
79.183
header=X-Forwarded-Server=lb.
our.domain
header=User-Agent=curl/7.49.1
header=Host=machine01.our.
domain:8081
header=X-Forwarded-Host=lb.
our.domain
locale=[]
method=GET
protocol=HTTP/1.1
queryString=
remoteAddr=10.231.79.183:0
remoteHost=10.231.79.183
scheme=http
host=machine01.our.domain:8081
serverPort=0
--------------------------
RESPONSE--------------------------
contentLength=574
contentType=application/json
header=Connection=keep-alive
header=Cache-Control=no-cache
header=X-Powered-By=Undertow/1
header=Server=WildFly/10
header=Content-Type=
application/json
header=Content-Length=574
header=Date=Fri, 09 Sep 2016
09:38:40 GMT
status=200
==============================
================================
out:
{
"auth-server-url": "
http://machine01.our.domain:8081/auth",
"public-client": true,
"realm": "master",
"realm-public-key": "
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtJYkLAIk+/lkVQFcKtKKFG7/
n9B5m7kBcExUg3VqbbbZZy3NUmfzRyQeKMw9TdFirXwhoS+xnyYC/
bo1m8BLJB3fACmPKSGdTZdsf9t37z12pWELUk07O5IfjNh5ITPgDmTkHY3dE
1E4CxyabdSkhCGdGjBI0HZa8Ekc91Hk7JKCJ62g7yoEwHai8POiFAk2LoRUF
lc42rpLmhvgZooUDD5/R/XUEOHk1U0fQJP0GAHjZyJnPisCoSdF
oCoBoGb12m0PrFOXQBpn4QOMIiidU8Vt/D2Gc7I/fiPBhMKBXcinL5i5wvy1EizA8f9tRv
4mvyb0+fCT8aDi0M2qK7KvmwIDAQAB",
"resource":
"security-admin-console",
"ssl-required": "external"
}
Is it possible to configure keycloak / undertow to use X-Forwarded-Host
header for absolute urls, or we have to forward original host to keycloak?
Thanks
Stefan
*From:* Marek Posolda [mailto:mposolda@redhat.com]
*Sent:* Friday, September 9, 2016 9:38 AM
*To:* KASALA Štefan <Stefan.Kasala(a)posam.sk>;
keycloak-user(a)lists.jboss.org
*Subject:* Re: [keycloak-user] Getting 401 if trying to access app via
loadbalancer
This is set from the HTTP request url, so it looks that your Keycloak is
seeing ""http://machine01.our.domain:8081/auth"
<
http://machine01.our.domain:8081/auth> as the request URL instead of "
http://lb.our.domain/auth/admin/governance/console/config" . Maybe the
set of X-Forwarded-Host on your LB side?
Marek
On 08/09/16 13:05, KASALA Štefan wrote:
Hello,
Finally we upgraded to Keycloak 2.1.0.Final. We have configured Apache
httpd proxy in front of the server. We configured keycloak server according
to
https://keycloak.gitbooks.io/server-installation-and-
configuration/content/topics/clustering/load-balancer.html.
The configuration is still not complete/correct, probably I missed
something. When I access proxied url for either of our configured realms I
got unproxied auth-server-url:
[localuser@machine01:~/keycloak]$ curl -s
http://lb.our.domain/auth/
admin/governance/console/config | python -m json.tool
{
"auth-server-url": "http://machine01.our.domain:8081/auth"
<
http://machine01.our.domain:8081/auth>,
"public-client": true,
"realm": "governance",
"realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD
CBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1
tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfP
LPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
"resource": "security-admin-console",
"ssl-required": "external"
}
[localuser@machine01:~/keycloak]$ curl -s
http://lb.our.domain/auth/
admin/master/console/config | python -m json.tool
{
"auth-server-url": "http://machine01.our.domain:8081/auth"
<
http://machine01.our.domain:8081/auth>,
"public-client": true,
"realm": "master",
"realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ
8AMIIBCgKCAQEAtJYkLAIk+/lkVQFcKtKKFG7/n9B5m7kBcExUg3VqbbbZZy3NUmfzRy
QeKMw9TdFirXwhoS+xnyYC/bo1m8BLJB3fACmPKSGdTZdsf9t37z1
2pWELUk07O5IfjNh5ITPgDmTkHY3dE1E4CxyabdSkhCGdGjBI0HZa8Ekc91H
k7JKCJ62g7yoEwHai8POiFAk2LoRUFlc42rpLmhvgZooUDD5/R/
XUEOHk1U0fQJP0GAHjZyJnPisCoSdFoCoBoGb12m0PrFOXQBpn4QOMIiidU8Vt/D2Gc7I/
fiPBhMKBXcinL5i5wvy1EizA8f9tRv4mvyb0+fCT8aDi0M2qK7KvmwIDAQAB",
"resource": "security-admin-console",
"ssl-required": "external"
}
How can I configure it to return the proxied version? Thanks.
Stefan.
*From:* Stian Thorgersen [mailto:sthorger@redhat.com <sthorger(a)redhat.com>]
*Sent:* Tuesday, June 28, 2016 3:51 PM
*To:* KASALA Štefan <Stefan.Kasala(a)posam.sk> <Stefan.Kasala(a)posam.sk>
*Cc:* keycloak-user(a)lists.jboss.org
*Subject:* Re: [keycloak-user] Getting 401 if trying to access app via
loadbalancer
Firstly, please upgrade to a more recent Keycloak version. Then refer to
https://keycloak.gitbooks.io/server-installation-and-
configuration/content/topics/clustering/load-balancer.html for details on
how to setup a reverse proxy / load balancer in front of Keycloak.
On 27 June 2016 at 09:18, KASALA Štefan <Stefan.Kasala(a)posam.sk> wrote:
Hello,
we have installed JBoss Overlord Rtgov 2.1.0 which is using
Keycloak 1.2.0.Beta1. It is running on JBoss EAP 6.3, I will name it with
hostname app01. We have a load balancer under another hostname lbapp in
front of the deployed app. I am able to call the rest interface of RtGov
directly on machine app01 but not using lbapp, I get 401 - Unauthorized
from Keycloak. My guess is there is some check against hostname in http
request. Is there some possibility to register aliases with the keycloak to
enable calls via load balancer? Thanks.
Stefan Kasala
------------------------------
Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné
alebo interné informácie. Ak ste ju omylom obdržali, upovedomte o tom
prosím odosielateľa a vymažte ju. Akýkoľvek iný spôsob použitia tohto
e-mailu je zakázaný.
This message is for the designated recipient only and may contain
confidential or internal information. If you have received it in error,
please notify the sender immediately and delete the original. Any other use
of the e-mail by you is prohibited.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
------------------------------
Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné
alebo interné informácie. Ak ste ju omylom obdržali, upovedomte o tom
prosím odosielateľa a vymažte ju. Akýkoľvek iný spôsob použitia tohto
e-mailu je zakázaný.
This message is for the designated recipient only and may contain
confidential or internal information. If you have received it in error,
please notify the sender immediately and delete the original. Any other use
of the e-mail by you is prohibited.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
------------------------------
Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné
alebo interné informácie. Ak ste ju omylom obdržali, upovedomte o tom
prosím odosielateľa a vymažte ju. Akýkoľvek iný spôsob použitia tohto
e-mailu je zakázaný.
This message is for the designated recipient only and may contain
confidential or internal information. If you have received it in error,
please notify the sender immediately and delete the original. Any other use
of the e-mail by you is prohibited.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user